New Email Infrastructure Used to Send Over a Million Malware-Laden Emails


A study on two aspects of a new email infrastructure used to deliver over a million malware-laden emails per month has recently been published by Microsoft. This infrastructure has been used to distribute at least seven different forms of malware, and seems to be a replacement after the destruction of the Necurs botnet.

Emerging email platform for attackers

The development of this infrastructure goes back to March and April 2020. This email infrastructure, consisting of two segments called StrangeU and RandomU, has been observed and evaluated by Microsoft since then.

  • The infrastructure of StrangeU (using the term strange in new domains) and RandomU (creating random domain names) has mainly targeted victims in financial services, hospitals, and bulk delivery in Australia, the United States, and the United Kingdom.
  • The infrastructure has been used to primarily target corporate email addresses, while ignoring user accounts, from commodity malware such as Makop and Mondfoxia to distributing persistent malware like Trickbot, Dofoil, Emotet, Dopplepaymer, and Dridex.
  • According to Microsoft, though, the basics of having initial access to applications have remained the same. Spear-phishing emails, false alarms, emergency updates, and trendy lures were the key strategies and instruments.

Current attacks focused on emails

Several attack attempts have been seen in recent months exploiting email infrastructure to threaten possible victims.

  • Scammers were observed last month exploiting some gaps in Microsoft 365 read receipts and out of office answers to threaten their victims.
  • In the same month, in order to spy on targets, attackers hijacked email security links from a Mimecast-issued certificate used to authenticate some of the company’s goods on Microsoft 365 Exchange Web Services.

Wrapping Up

The use of advanced strategies for email networks such as complex domain-name creation suggests that cybercriminals make daily investments in developing their email-based attack tactics. In order to obtain initial access to networks, attackers repeatedly rely on familiar malicious techniques, such as emails with malicious connections or attachments. This calls for an immediate need to tighten protection through corporate networks centered on email.

Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards & w-se. Previously, he worked as a security news reporter.